PDF malware analysis — malicious · 957e046ef8918da7

MALICIOUS

PDF

552.5 KB Created: 2022-05-30 03:23:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15

MD5: 26e3869a9ab08fea670ba9eaea2f53c0 SHA-1: d31c6a3990170eadf2f50ac8b726e2f510a18319 SHA-256: 957e046ef8918da7859721fcf74e82300078cc36bd0b2869fd818d311c952dd9

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is identified as a malicious PDF by ClamAV. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The PDF structure also shows signs of manipulation with duplicate object bodies, further indicating malicious intent. The primary attack vector appears to be social engineering through a deceptive download lure.

Machine Learning

Nyx PDF Classifier suspicious score 0.3336

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ragaz.co.za/XSRYdR1H?utm_term=aditya+hridaya+stotra+in+english+pdf++free+pdf+download
- https://puduwuxibipufu.weebly.com/uploads/1/3/5/9/135966859/67e0f850c2.pdf
- http://czdashan.com/uploadfile/file/2022020705264773499.pdf
- http://chestheart.org/assets/ckeditor/kcfinder/upload/files/zumowulezikifoxotuto.pdf
- https://uncme.org.br/Gerenciador/kcfinder/upload/files/vapowozibudorijose.pdf
- https://sajidukana.weebly.com/uploads/1/4/1/4/141475443/d5bfaf728a9.pdf
- http://www.homefacelifters.com/wp-content/plugins/super-forms/uploads/php/files/b88e63c34db7b08623a94fb973733e9b/givelejoluxit.pdf
- https://dajexuxeguse.weebly.com/uploads/1/3/4/8/134859846/solazimemipijeg.pdf
- https://mazemisa.weebly.com/uploads/1/3/4/6/134692176/gejasoj.pdf
- http://leylatoprak.com/userfiles/file/sefuridapegu.pdf
- https://jinoxunetoxufa.weebly.com/uploads/1/3/4/6/134698665/0177e39b91.pdf
- https://euinsuti.uniluxgym.ro/app/webroot/files/userfiles/files/47067059606.pdf
- https://fapudunaga.weebly.com/uploads/1/3/0/7/130776769/9221943.pdf
- http://pollibox.com/assets/uploads/files/sojosin.pdf
- https://sogekapi.weebly.com/uploads/1/3/4/8/134891770/7171186.pdf
- https://balajihighfields.in/userfiles/file/72895553538.pdf
- https://maxizijemasapeg.weebly.com/uploads/1/4/1/3/141394373/9699429.pdf
- https://listino.sopar.com/img/file/79826323946.pdf
- https://jozinafusidesi.weebly.com/uploads/1/4/1/5/141593839/2674607.pdf
- http://letnaterasa.customreal.sk/data/files/98992909364.pdf
- https://miriziwu.weebly.com/uploads/1/3/0/7/130774981/fuvisarojadako_kewefilida_potudewawo.pdf
- https://tebudewuve.weebly.com/uploads/1/3/2/6/132683230/8745399.pdf
- http://www.aamuhsv-madisonalumni.org/files/files/tuzapamurat.pdf
- https://subujokijaj.weebly.com/uploads/1/3/4/0/134096911/4262127.pdf
- https://perfectsextherapy.com/public_html/userfiles/file/88650845579.pdf
- https://egyiksem.hu/uploads/file/56463296403.pdf
- https://fumamefix.weebly.com/uploads/1/3/0/8/130873833/6ebeaa.pdf
- https://gomarevijupa.weebly.com/uploads/1/3/4/5/134585171/suwimuzujumi.pdf
- https://fulimutalez.weebly.com/uploads/1/3/4/5/134599943/f70c50ef.pdf
- https://bebutilonajakup.weebly.com/uploads/1/4/1/2/141257435/pigaluvuxup.pdf
- https://seerupit.dk/assens/file/72123708245.pdf
- https://jabipiduluw.weebly.com/uploads/1/3/4/6/134662585/gaxuvugebo.pdf
- http://lohoithaiduong.com/uploads/files/pesogulunowazeno.pdf
- https://nasovakuj.weebly.com/uploads/1/3/2/3/132303133/nazokedatorozas.pdf
- https://jopekaraxawil.weebly.com/uploads/1/3/4/5/134589640/7742978.pdf
- https://fogisavelubid.weebly.com/uploads/1/3/5/2/135299906/wesuwumipila-lutuz-wamukedopu-rixabixokozib.pdf
- https://chiataiec.com/userfiles/Proj_Name/files/85300211206.pdf
- https://rafogemi.weebly.com/uploads/1/3/4/7/134754229/kawufebitemap_naduki.pdf
- https://xtremefitksa.xbodyksa.com/ckfinder/userfiles/files/fatavuruvuliluvituxo.pdf
- https://sumolepixa.weebly.com/uploads/1/3/4/6/134635742/e8217b61775b4.pdf
- https://viwapuse.weebly.com/uploads/1/3/5/3/135306484/2037573.pdf
- https://finuredapek.weebly.com/uploads/1/3/4/3/134352460/702970.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000831e6.bin` `3fff09f13a7178c9b83ecf793388512c1f8b82c4425b3c1dad27abb059f71cc3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x831E6	18816 bytes
`font_01_sfnt_off00085fcd.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85FCD	16792 bytes
`font_02_sfnt_off000877e5.bin` `ca33ad11f164d81f66983aaf94f40de9c4425514612879a6385547827b9e41d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x877E5	10956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.